🔐 Access Control List (ACL)

 

🔐 Access Control List (ACL)


🧠 Top 5 Key Points

  1. Traffic Filtering:
    ACLs filter network traffic by allowing or denying packets based on criteria like IP address, protocol, or port.

  2. Security Control:
    They help protect networks by restricting unauthorized access to specific network segments or devices.

  3. Types of ACLs:

    • Standard ACLs (1–99): Filter traffic based only on source IP address.

    • Standard ACL apply close to the destination

    • Extended ACLs (100–199): Filter traffic based on source IP , destination IP , and port/protocol.

    • Extended ACLs apply close to source

    • Cisco introduced Extended ACLs to provide much more control.

      They can filter by:

      • ✅ Source IP
      • ✅ Destination IP
      • ✅ Protocol (TCP, UDP, ICMP, IP)
      • ✅ Port number (80, 443, 22, etc.)
  4. Direction of Application:
    ACLs can be applied inbound (incoming packets) or outbound (leaving interface).

  5. Order Matters:
    ACLs are processed top-down; the first match decides the action — unmatched packets are denied by default.



    Quick Comparison

    RequirementStandard ACLExtended ACL
    Filter by source IP
    Filter by destination IP
    Filter by TCP/UDP
    Filter by port (80, 443, 22)
    Simpler configuration

⚙️ Technical Summary

FeatureDescription
OSI LayerLayer 3 (Network Layer)
PurposeTraffic filtering & security
PlacementRouter interfaces
Default BehaviorImplicit “deny all” at end
Common UseRestrict access between subnets or to servers

🧰 Packet Tracer Lab – ACL Example


🎯 Goal:

Block traffic from one LAN to another while allowing all other traffic.


🖥️ Network Topology

PC1 (LAN1 -192.168.1.0) ---- Router ---- PC2 (LAN2 - 192.168.2.0)

PC -> Router -> Cross over

IP Address Plan

DeviceInterfaceIP AddressNetwork
R1G0/0192.168.1.1192.168.1.0/24
G0/1192.168.2.1192.168.2.0/24
PC1NIC192.168.1.10192.168.1.0/24
PC2NIC192.168.2.10192.168.2.0/24

🪜 Step-by-Step Configuration

🔹 1. Basic Router Configuration

enable conf t interface g0/0 ip address 192.168.1.1 255.255.255.0 no shutdown exit interface g0/1 ip address 192.168.2.1 255.255.255.0 no shutdown exit

🔹 2. Create a Standard ACL

Block all outgoing traffic from 192.168.1.0/24 (LAN1) to LAN2, but allow others.

access-list 10 deny 192.168.1.0 0.0.0.255 access-list 10 permit any

🔹 3. Apply ACL to an Interface

Apply it outbound on interface G0/1 (towards LAN2).

interface g0/1 ip access-group 10 out exit

🔹 4. Verify ACL Configuration

show access-lists

➡ Displays ACL entries and hit counts.

show running-config

➡ Verifies ACL applied to the correct interface.


💡 Testing

  • From PC1 (192.168.1.10) → try to ping 192.168.2.10 (PC2) → ❌ should fail (blocked by ACL).

  • From Router (or another network) → ping PC2 → ✅ should succeed.

----------------------------------------------------------------------------------------------------------------------------

Create a  Standard ACL 

PC1 (LAN1 -192.168.1.0/24) -- Router-- Web server (10.0.0.0/24) PC -> Router -> cross over PC -> Web Server -> cross over

Block all incoming traffic from 10.1.1.10/8 (Server) to LAN 1

access-list 10 deny 10.1.1.10 0.0.0.0 access-list 10 permit any


Apply ACL to an Outbound Interface

Apply it on outbound interface G0/1 (towards LAN1).

interface g0/1 ip access-group 10 out exit
EXTENDED ACL

Example 1: Block one PC from accessing a Web Server

Topology

PC1 (192.168.1.10) --------\
\
R1 -------- Web Server (10.1.1.10)

Requirement

  • ❌ PC1 should not access the web server using HTTP (80) or HTTPS (443).
  • ✅ PC1 can still ping the server.
  • ✅ PC2 can access everything.

Configuration

access-list 100 deny tcp host 192.168.1.10 host 10.1.1.10 eq 80
access-list 100 deny tcp host 192.168.1.10 host 10.1.1.10 eq 443
access-list 100 permit ip any any

Apply the ACL near the source:

interface g0/0
ip access-group 100 in

Example 2: Block an entire subnet from another subnet

LAN1: 192.168.1.0/24
LAN2: 10.1.1.0/24

Block all traffic from LAN1 to LAN2:

access-list 100 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip any any

Example 3: Allow only ping

Block all traffic except ICMP:

access-list 100 permit icmp any any
access-list 100 deny ip any any

Result:

  • ✅ Ping works.
  • ❌ HTTP, HTTPS, FTP, SSH, etc., are blocked.

Example 4: Block FTP only

access-list 100 deny tcp any any eq 21
access-list 100 permit ip any any

Result:

  • ❌ FTP is blocked.
  • ✅ Other traffic is allowed.

How to read an Extended ACL

Take this entry:

access-list 100 deny tcp host 192.168.1.10 host 10.1.1.10 eq 80

Read it as:

  • ACL Number: 100
  • Action: deny
  • Protocol: tcp
  • Source: 192.168.1.10
  • Destination: 10.1.1.10
  • Destination Port: 80 (HTTP)

🧠 Learning Summary

ConceptDescription
ACL PurposeFilter network traffic
Standard ACLBased on source IP only
Extended ACLBased on source IP, destination IP & port numbers
DirectionInbound or outbound
Default RuleImplicit deny at the end

💬 Teaching Tip

“Think of an ACL as a security guard at a router port — it checks every packet’s ID (IP, protocol, port) before letting it pass.”



 

Comments

Popular posts from this blog

🖧 VLAN (Virtual Local Area Network)

🌐 NAT (Network Address Translation)

🛰️ OSPF (Open Shortest Path First)